Most physical and cybersecurity professionals have worked completely separately since cybersecurity became a field in its own right. This continues to be the case, despite the efforts to promote a joint approach with converged security risk management, of my good friend and colleague James Willison and I.
Whether enterprises see the benefits of the two areas of security risk working together or not, there is one thing that must change – physical security professionals must learn cybersecurity skills. Here’s why…
The Coronavirus is not the only cause of change in the world!
Physical security has been around for centuries, and over the last 20 plus years it has benefited from technological advancements in CCTV, access controls systems, centralised alarm control systems, sensored perimeters, and many others. And, over the last few years the technology has advanced even further to facilitate many more benefits. However, these are only achievable through these systems not only operating on an IP network, but also sharing other technologies, such as protocols, services and applications. The sharing goes beyond the basics, as it involves connecting with many more systems, which are totally different from each other, especially when we are talking about systems in smart buildings.
I call this last change the 'IoT-isation of technology,' which has pushed what were once physical security systems open to cybersecurity vulnerabilities.
This means that regardless of what physical security professionals think – be they installers, maintenance or facilities staff – they will have to learn enough cybersecurity practices to ensure that they are not making the rest of the network any more vulnerable than before the devices were installed. Unfortunately, if the current installers are not able to secure such devices, then enterprises will need to replace these suppliers with those who have the skillset to do so.
Change in skills requirements
Many of the devices being installed in a commercial environment are also being replicated in the home. More and more people are implementing surveillance technology into their houses under the guise of security, not understanding that they are probably more vulnerable to attack with some of these products than they were without them. Many of these products are amazingly simple to use, however, in many cases the functionality was never extended to include securing the device or system from hackers.
Since these systems are often purchased based upon their price point, and not the security built into the device or system, the chances of them being replaced due to cybersecurity issues is remote to non-existent.
Whilst some may be aware that there is a UK and EU coordinated law that is coming into operation in relation to consumer IoT products, it is so low level that it only deals with the top three of the thirteen ETSI standard requirements for device and system security.
Although commercial and domestic products are not exactly the same and being skilled in one doesn’t necessarily make you an expert in the other, they do utilise many similar technologies, which creates a fantastic opportunity for many small installer/integrator businesses.
However, there still needs to be a major shift in the skills required to install, maintain and oversee facilities, with cybersecurity at the forefront of this requirement.
Another driver is that several professional bodies and industry standards are beginning to include cybersecurity skills for any smart products that are installed into buildings, be they domestic or commercial. So, physical security professionals may only be left with a limited range of options:
- ignore cybersecurity and lose business to those who are willing to adapt to the market needs, or;
- leave the profession or industry because cybersecurity isn't for them, or;
- learn enough cybersecurity to adapt and add value to customers and the industry, or;
- go the whole hog and explore a career in cybersecurity, where you are able to provide the additional physical security and safety skills that most current cybersecurity professionals don’t have.
Basically, it seems that if you are or have been in physical security, and want to keep your job security for the longer term, you will have to learn some cybersecurity skills if you want to keep your job security!
Add value to your business offering
The good news is that there is currently a cybersecurity skills shortage and the profession is looking to fill the gap from various avenues.
Unfortunately, some of my cybersecurity colleagues feel that many physical security professionals are not interested in working with cybersecurity teams to provide a single view of risk. There is a view that installers or facilities teams are too entrenched in their views about any non-physical security that they will resist change for as long as they can, while also holding back those who want see change. This resistance is there and will be there for some time, but with the world moving towards smart technology, those who have at least some cybersecurity skills won't be completely left behind.
I do believe that since there is little or no chance that cybersecurity people will attempt to learn the risk skills physical security professionals have, the only chance we have of keeping good physical risk management skills is to train physical security professionals into cybersecurity. On this basis, physical security professionals can create a new breed of security professional. Not only that they will be meeting an immediate gap that needs to be filled around the world not just the UK, US and Europe.
As a cybersecurity professional who researched into the vulnerabilities of networked CCTVs, intruder alarms, fire alarms, HVAC systems, and other physical network devices at the time when they were not called IoT devices and they were all under the management of physical security teams, things have changed! Physical security is going to change must faster in the next few years, often in favour of those with cybersecurity skills.
To respond to this big shift, physical security professionals will have to learn some cybersecurity skills, whether it is for 5-10% of their jobs, or as much as 20-30% each working week.
I would like to start this discussion and ask what you would like to see to help you make that progression and have the sustainable future you need for yourself and your business. If you have any questions or there are any topics that you would like me to cover, please feel free to post them on this page, and I will try to respond when I get the chance.
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, intruder/fire alarms and guarding – and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.
Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global.